diff options
author | Davi Arnaut <davi.arnaut@gmail.com> | 2006-02-03 03:04:46 -0800 |
---|---|---|
committer | Linus Torvalds <torvalds@g5.osdl.org> | 2006-02-03 08:32:10 -0800 |
commit | 6d94074f0804143eac6bce72dc04447c0040e7d8 (patch) | |
tree | 2833a03682e12d81d4bd849435cd9f95e64e9350 /security/keys | |
parent | 353368dffb56b066cbe00264581a56caf0241b29 (diff) | |
download | lwn-6d94074f0804143eac6bce72dc04447c0040e7d8.tar.gz lwn-6d94074f0804143eac6bce72dc04447c0040e7d8.zip |
[PATCH] Fix keyctl usage of strnlen_user()
In the small window between strnlen_user() and copy_from_user() userspace
could alter the terminating `\0' character.
Signed-off-by: Davi Arnaut <davi.arnaut@gmail.com>
Cc: David Howells <dhowells@redhat.com>
Cc: <stable@kernel.org>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
Diffstat (limited to 'security/keys')
-rw-r--r-- | security/keys/keyctl.c | 15 |
1 files changed, 10 insertions, 5 deletions
diff --git a/security/keys/keyctl.c b/security/keys/keyctl.c index 90db5c76cf6e..0c62798ac7d8 100644 --- a/security/keys/keyctl.c +++ b/security/keys/keyctl.c @@ -67,9 +67,10 @@ asmlinkage long sys_add_key(const char __user *_type, description = kmalloc(dlen + 1, GFP_KERNEL); if (!description) goto error; + description[dlen] = '\0'; ret = -EFAULT; - if (copy_from_user(description, _description, dlen + 1) != 0) + if (copy_from_user(description, _description, dlen) != 0) goto error2; /* pull the payload in if one was supplied */ @@ -161,9 +162,10 @@ asmlinkage long sys_request_key(const char __user *_type, description = kmalloc(dlen + 1, GFP_KERNEL); if (!description) goto error; + description[dlen] = '\0'; ret = -EFAULT; - if (copy_from_user(description, _description, dlen + 1) != 0) + if (copy_from_user(description, _description, dlen) != 0) goto error2; /* pull the callout info into kernel space */ @@ -182,9 +184,10 @@ asmlinkage long sys_request_key(const char __user *_type, callout_info = kmalloc(dlen + 1, GFP_KERNEL); if (!callout_info) goto error2; + callout_info[dlen] = '\0'; ret = -EFAULT; - if (copy_from_user(callout_info, _callout_info, dlen + 1) != 0) + if (copy_from_user(callout_info, _callout_info, dlen) != 0) goto error3; } @@ -279,9 +282,10 @@ long keyctl_join_session_keyring(const char __user *_name) name = kmalloc(nlen + 1, GFP_KERNEL); if (!name) goto error; + name[nlen] = '\0'; ret = -EFAULT; - if (copy_from_user(name, _name, nlen + 1) != 0) + if (copy_from_user(name, _name, nlen) != 0) goto error2; } @@ -583,9 +587,10 @@ long keyctl_keyring_search(key_serial_t ringid, description = kmalloc(dlen + 1, GFP_KERNEL); if (!description) goto error; + description[dlen] = '\0'; ret = -EFAULT; - if (copy_from_user(description, _description, dlen + 1) != 0) + if (copy_from_user(description, _description, dlen) != 0) goto error2; /* get the keyring at which to begin the search */ |